Cyber Skills Gap Quantified in Terms of Supply and Demand

Gaining and retaining security talent is a major headache for almost all security leaders -- indeed, the consensus is that the world is suffering under a chronic security skills gap. But most of the evidence for this skills gap is empirical; there is little hard evidence in facts and figures.

Indeed.com, which describes itself as the world's number one jobs site, has now provided facts and figures from its own experiences. It does this by comparing security vacancies (industry demand) against click-interest (supply) from job seekers. The difference between the two figures demonstrates the size of the skills gap in terms of both security specifics and global region. Since Indeed is able to compare the difference today with the difference from two years ago, it is also able to quantify whether the skills gap is widening or narrowing.

Geographically, Israel has the highest demand (measured by security job postings per million postings). This is 89.2% higher than second-placed Ireland; 118.8% higher than third-placed UK; and 187% higher than the US in fourth place. The figures merely quantify the demand -- they do not explain it.

Indeed.com postulates that the strong demand in Israel comes from the country's position as second only to the US as an exporter of security goods and services, combined with the emphasis it places on security in general. Ireland could figure so highly because of the tendency for multi-nationals to site their European headquarters in the country (according to Ireland's investment agency, "over 1,200 companies... have already chosen Ireland as their strategic European base.")

An implication from the US figuring so far behind Israel and Ireland could suggest that the US skills gap is smaller than elsewhere. This is to some extent proven when Indeed compares demand to supply (measured by the difference between the jobs postings and interest in those vacancies). Indeed measures the gap as the percentage of interest against vacancies. With this metric, the higher the percentage, the less the gap: '100%' means that supply matches demand.

Here the US scores relatively well, with 66.7%. Israel fares worst at 28.7%, while the UK is second worst at 31.6%. Of the countries included, only Canada has a smaller skills gap than the US, scoring 68.1%. The US and Canada are the only countries where job-seeker interest is more than 50% of employer demand.

It's not all bad news. In some countries the skills gap is shrinking. In Ireland the mismatch between supply and demand has improved by 14% since 2014. In the US it has improved 7%, and in Israel 5%. But in some countries it is widening: in the UK by 5%, in Brazil by 11% and in Canada by 12%.

"It would be nice to think that the continued media spotlight on cyber security has boosted awareness of the field and the number of professionals entering it," postulates Indeed.com. "But it is too soon to say whether these slight improvements represent the beginnings of a turnaround for global cybersecurity hiring."

The methodology chosen by Indeed.com provides granularity into security specializations. This shows that even where there has been an overall improvement in the skills gap, there still remain hotspots of demand. Job-seeker interest in cloud security only meets 9% of demand in Ireland despite Ireland's overall improvement. Even in the US, supply only meets 22.9% of demand.

Application security is similarly problematic, as supply only meets 20.6% and 36.5% of demand in Ireland and the US respectively. And it is far worse in the UK at a meagre 8.5% of employer demand.

Despite this, there are some specialties where supply exceeds demand; the skills gap has become a jobs gap. There is more interest in security administrator positions than available vacancies in Ireland; and more interest in ethical hacker positions than jobs in both the UK and the US. Both of these jobs gaps are, however, dwarfed by CISO interest in the US; which scores a supply to demand mismatch of more than 200%.

The skills gap details in this report only highlight the gap itself -- the reasons are beyond the scope of the report. Nevertheless, it demonstrates that industry has a long way to go to close the gap. In the meantime, new technologies that require their own brand of security -- such as IoT -- continue to emerge. While we are still trying to catch up with the present, the future will present new difficulties; and the likelihood is that new and major breaches will continue to be revealed for many years to come.

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.